The breach totals in our data set have decreased from last year, primarily due to a lack of POS vendor incidents that have led to numerous organizations being compromised with stolen partner credentials.
87 incidents, 61 with confirmed data disclosure
Top 3 patterns
Point of Sale intrusions, Web applications and Crimeware patterns
represent 93% of all data breaches within Accommodation
External (95%), Internal (5%) (breaches)
Financial (100%) (breaches)
Payment (77%), Credentials (25%), Internal (19%) (breaches)
How can we be of service?
The Accommodation industry prides itself on hospitality, and over the years it has been far too hospitable to criminals. Financially motivated actors are bringing home the bacon by compromising the Point of Sale (POS) environments and collecting customers’ payment card data. Table 3 lists the 10 most common combinations of threat action varieties and assets. These are pairings that are found in the same breach, but not necessarily the same event or step in the breach.
As stated above, some of these combinations are indicative of a specific action taken against a specific asset (e.g., RAM Scraping malware infecting a POS terminal). Others show that some actions are conducted earlier or later in event chains that feature a particular asset – you don’t phish a laptop, but you may phish a human and install malware on his/her laptop in the next step. In brief, the game has not changed for this industry. POS Controllers are compromised and malware specifically designed to capture payment card data in memory is installed and extended to connected POS Terminals. While these POS intrusions are often a small business issue, large hotel and restaurant chains can learn from this data and, if they use a franchise business model, disseminate this knowledge to their franchisees.
The RAM scrapers may be the specialty of the house, but malware does not spontaneously appear on systems. When the infection vector is known, it is typically a direct installation after the actors use stolen, guessable, or default credentials to gain access into the POS environment.